Configuring :NAT/PAT and IP inspect

Unanswered Question
Jul 1st, 2009


We have configured 1800 ISR to access internet using and NAT ( actually PAT ) and overload feature.

SImple mode fa0/0 is inside interface and fa0/1 is outside interface.

We need to apply ip inspect and enable IOS firewall as a security feature.

How do we apply IP inspect rules for the traffic that is being NATed or we need just to apply it.

Please share experience of configuring ip inspection with NAT/PAT.

any configuration link on

Thanks in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
networker99 Wed, 07/01/2009 - 07:30

The IP inspect uses CBAC which works the same way as SPI function on a regular firewall. There are 3 steps.

1. configure NAT/PAT (which you have done)

2. Allow the required traffic outbound (ACL)

3. Create the IP inspect rules and apply them to the interface. The IP inspect rules should contain the traffic that should be permitted back in (replies to outbound requests) even though the ACL denies

** Creating INSPECT ***

ip inspect name MYTRAFFIC ftp

ip inspect name MYTRAFFIC http

ip inspect name MYTRAFFIC https

** Applying to interface **

On the interface you wish to permit the traffic

ip inspect MYTRAFFIC out


This Discussion